Poor disaster recovery planning and the failure of the office of the provincial chief information officer to align other departments with a corporate IT strategy, placed the computer systems of New Brunswick under considerable risk.
This is was the assessment of the auditor general of New Brunswick yesterday when she raised concerns over the ability of the province’s IT system to function in the event of a power outage.
The system’s current state is “not acceptable, ” said Auditor General Kim MacPherson when she released her office’s report into the events of June 9 last year when all three main components of the government’s Marysville Data Center failed following a power outage. Recovery of department systems and data in the event of a system outage depend on the availability of services rendered through the Marysville Data Centre.
Many government services were disable or disrupted “for the day and following weeks,” due to the failure, according to her 2014 report which was released on Thursday.
There was loss of access to critical services and direct outage-related costs was estimated at $967,000.
“Access to government services is essential. Backup systems must be able to take over when power outages occur,” she said. “The current exposure to risks we observed during our work is not acceptable.”
Among other things the report revealed that vulnerability in the backup power system had been identified as early as 2009 and that the province did not have a documented IT continuity and disaster recovery plan in place should the Marysville Data Cebtre fail
Some progress was made regarding prior recommendations “but efforts of the government to mitigate outage risks are still insufficient,” a statement from the AG’s office said. “There was some business continuity planning in some departments but no consensus on the appropriate strategic direction at the corporate level.”
The report also said the Office of the Chief Information Officer (OCIO) does not have authority to direct departments to align with “overarching corporate-level strategic goals.
In its study of the June 9, 2014 power outage the report found:
- Pervasive failure of backup systems, including independent failures of uninterrupted power supply equipment, automatic transfer switch and standby power generator
- Even the failure of one component threatened IT services
- Inadequate preparedness (reaction was reactive and no evidence of formal disaster recovery plan)
Among the recommendations was that the OCIO define roles and responsibilities related to a corporate IT strategic plan for all departments and to take recommendations to cabinet to ensure strategic goals are aligned.
“It is unclear where central authority lies to implement government-wide upgrades to the IT systems and equipment,” said MacPherson. “Without an explicit directive from government, significant changes to the IT infrastructure may not be possible.”